1RNGD(8) System Manager's Manual RNGD(8)
2
3
4
6 rngd - Check and feed random data from hardware device to kernel random
7 device
8
9
11 rngd [-b, --background] [-f, --foreground] [-d, --debug] [-l, --list]
12 [-x, --exclude] [-n, --include] [-O, --option] [-i, --ignorefail] [-o,
13 --random-device=file] [-p, --pid-file=file] [-r, --rng-device=file]
14 [-s, --random-step=nnn] [-t, --test] [-W, --fill-watermark=nnn] [-q,
15 --quiet] [-?, --help] [-V, --version]
16
17
19 This daemon feeds data from a random number generator to the kernel's
20 random number entropy pool, after first checking the data to ensure
21 that it is properly random.
22
23 The -f or --foreground options can be used to tell rngd to avoid fork‐
24 ing on startup. This is typically used for debugging. The -b or
25 --background options, which fork and put rngd into the background auto‐
26 matically, are the default.
27
28 The -r or --rng-device options can be used to select an alternate
29 source of input, besides the default /dev/hwrng. The -o or --random-
30 device options can be used to select an alternate entropy output
31 device, besides the default /dev/random. Note that this device must
32 support the Linux kernel /dev/random ioctl API.
33
35 -b, --background
36 Become a daemon (default)
37
38 -f, --foreground
39 Do not fork and become a daemon
40
41 -d, --debug
42 Enable debug messages
43
44 -l, --list
45 List the indexes and names of available entropy sources. Exit
46 code when listing sources is 0 if at least 1 entropy source was
47 found and initialized, 1 otherwise.
48
49 -x, --exclude
50 Disable entropy sources based on index or (shortname) reported
51 from --list option
52
53 -n, --include
54 Enable entropy sources based on index or (shortname) reported
55 from --list option
56
57 -O, --option
58 Provide specific config options to individual entropy sources,
59 in the format --option [index|shortname]:key:value. See Entropy
60 Sources section below for indicies and source specific options.
61 Note that specifying -O [<index>|<shortname>] will print the
62 available options for that index to the console
63
64 -p file, --pid-file=file
65 File used for recording daemon PID, and multiple exclusion
66 (default: /var/run/rngd.pid)
67
68 -i, --ignorefail
69 Ignore repeated fips failures
70
71 -o file, --random-device=file
72 Kernel device used for random number output (default: /dev/ran‐
73 dom)
74
75 -r file, --rng-device=file
76 Kernel device used for random number input (default: /dev/hwrng)
77
78 -s nnn, --random-step=nnn
79 Number of bytes written to random-device at a time (default: 64)
80
81 -t, --test
82 Enter test mode. In this mode (which implies -f), all generated
83 entropy is discarded and rngd reports the amount of entropy gen‐
84 erated every second
85
86 -e nnn, --entropy-count=nnn
87 Number of bits to consider random when adding entropy. 1<=e<=8
88 (default: 8)
89
90 -W n, --fill-watermark=nnn
91 Once we start doing it, feed entropy to random-device until at
92 least fill-watermark bits of entropy are available in its
93 entropy pool. By default, this value is set to 75% of the
94 entropy pool size or 2048 bits if the entropy pool size couldn't
95 be determined. Setting this too high will cause rngd to domi‐
96 nate the contents of the entropy pool. Low values will hurt
97 system performance during entropy starves. Do not set fill-
98 watermark above the size of the entropy pool (usually 4096
99 bits). A value of 0 to this option will cause no watermark to
100 be set.
101
102
103 -q, --quiet
104 Suppress all messages
105
106 -?, --help
107 Give a short summary of all program options.
108
109 -V, --version
110 Print program version
111
112
114 Hardware RNG (hwrng) [Index 0]
115 The Hardware RNG is a generic entropy source that draws entropy
116 from a hardware rng attached by default to /dev/hwrng
117
118
119 TPM (tpm) [Index 1]
120 Entropy drawn from on board TPM device. Note this entropy
121 source is deprecated and will be removed soon, as newer tpm
122 devices export entropy via /dev/hwrng, which is collected by the
123 hwrng source above
124
125
126 RDRAND/RDSEED (rdrand) [Index 2]
127 Entropy drawn from the RDRAND and RDSEED instructions (x86 only)
128
129 Options
130
131 use_aes - select if rdrand is used to seed a cprng to produce
132 entropy, or if all entropy is drawn directly from rdrand
133 instruction (default 0)
134
135
136 DARN (darn) [Index 3]
137 Entropy drawn from the DARN instruction (ppc64 only)
138
139 Options
140
141 use_aes - select if the power darn instruction is used to
142 directly fill the entropy poll, or if it is used as a periodic
143 seed to an aes based cprng (default 1)
144
145
146 NIST Entropy Beacon (nist) [Index 4]
147 Entropy gathered from the NIST network entropy beacon. Note
148 that this entropy source is disabled by default as it should
149 never be used for cryptographic purposes, or any use case in
150 which random data should be known only by a single entity.
151
152
153 JITTER (jitter) [Index 5]
154 Entropy gathered by measuring timing variance of operations on
155 the local cpu
156
157 Options
158 thread_count - Set the number of threads that the jitter
159 entropy source will spawn
160
161 buffer_size - Set the size of the buffer cache that each thread
162 maintains
163
164 refill_thresh - Set the low watermark for the cache that trig‐
165 gers its corresponding thread to start refill operations
166
167 retry_count - If all entropy buffers are empty, retry this many
168 times before giving up. Note that jitterentropy can take sev‐
169 eral seconds to refill a buffer, and so retries after a delay
170 may be preferable to repeatedly spining on an empty buffer
171 (default 1)
172
173 retry_delay - between each retry for retry_count above, sleep
174 for this many seconds. May also be the special value -1, repre‐
175 senting adaptive sleep, where each retry delay will be half the
176 recorded execution time of the last entropy gathering round
177 (default -1)
178
179
180 PKCS11 (pkcs11) [Index 6]
181 Entropy gathered via the opensc openssl engine, which can
182 extract entropy from various smart card readers
183
184 Options
185 engine_path - Set the patch for the pkcs11 engine DSO to load
186
187 chunk_size - Some pkcs11 engines have restrictions on how much
188 data can be requested at a time, this option allows for the
189 request to be subdivided into smaller chunks to be satisfied
190
191
193 Philipp Rumpf
194 Jeff Garzik - jgarzik@pobox.com
195 Matt Sottek
196 Brad Hill
197 Neil Horman - nhorman@tuxdriver.com
198
199
200
201rng-tools 6.9 March 2001 RNGD(8)